3.8.1 SSO Active Directory + Linux

Derek_Harkness · May 3, 2013, 8:17pm

I’m running Openfire 3.8.1 on ubuntu 12.04 and attempting to get SSO working against my AD 2008 system. LDAP based auth is working fine, SSO is appears to be working for Messages on OS X 10.8 but not like I want.

I followed the direction at http://community.spiceworks.com/how_to/show/13930-openfire-enable-single-sign-on -sso-on-linux

What I want is a user to be able to auto discover hostname and port for my xmpp server, user sets the username as user@domain.com and they are connected because they already have kerberos creds. But currently SSO only works if I use set my username to user@jabber01.domain.com.

What am I missing in my setup?

xmpp.fqdn = jabber01.domain.com

xmpp.domain = domain.com

Thanks

Derek

Derek_Harkness · May 6, 2013, 2:20pm

So more data. Pidgin appears to do everything properly and I might just be fighting an iChat/Messages problem on OS X. In the client logs on OS X messages is trying to log into the wrong krb5 domain.

[Warning] SASL could not use GSSAPI as mechanism, error code: -1, detail: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (Server (krbtgt/COM@DOMAIN.COM) unknown while looking up ‘xmpp/domain.com@COM’ (cached result, timeout in 1196 sec) (negative cache))

Obviously this is incorrect. Anybody seen anything like this? If I change the Messages app to use the fqdn for both my JID and server then SSO works fine.

Thanks

Derek